openldap_server_with_tls_centos_6.5
Table of Contents
CentOS 6 - OpenLDAP 2.4 server with TLS
This guide will install OpenLDAP with TLS. Tested on CentOS 6.5 minimal install.
Configure iptables
- Edit /etc/sysconfig/iptables. The example below will insert the rules on line 6 and 7, then saves the ruleset to make it persistent across reboots.
iptables -I INPUT 6 -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -m comment --comment LDAP iptables -I INPUT 7 -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -m comment --comment LDAPS service iptables save
Install OpenLDAP 2.4
Install packages
yum install openldap-clients pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-servers openldap openldap-devel
Configure SSL certificates
Put your CA root certificate, server certificate and private key in the directories below.
/etc/openldap/certs/cacert.pem #CA root certificate /etc/openldap/certs/server.key #private key /etc/openldap/certs/server.crt #server certificate
Enale LDAPS
vi /etc/sysconfig/ldap SLAPD_LDAPS=yes
Use DB config example
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Set permissons
chown -Rf ldap:ldap /var/lib/ldap
Set LDAP root password
slappasswd New password: <password> Re-enter new password: <password> {SSHA}<hash>
Change default DN
vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif olcSuffix: <your DN>
To enable password change from users, append the next lines after the last olcDbIndex line in the same file.
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,<your DN>" write by * none olcAccess: to * by self write by dn.base="cn=Manager,<your DN>" write by * read
Set root password, last line of same file file:
olcRootPW: {SSHA}<hash>
Correct the DN in olcDatabase={1}monitor.ldif
vi olcDatabase={1}monitor.ldif olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,<your DN>" read by * none
Test server config and start
slaptest -u service slapd start chkconfig slapd on
Configure as client
authconfig-tui [*] Use LDAP [*] Use Shadow passwords [*] Use LDAP Authentication [*] Local authorization is sufficient [*] Use TLS Server: ldaps://<server:636> Base DN: <your DN>
Test:
ldapsearch -x -b "dc=localdomain,dc=com"
Output: search: 2
Test TLS:
ldapsearch -x -b "dc=localdomain,dc=com" -ZZ
Output: search: 3
Configure LDAP server
Configure base domain
# ldapadd -x -W -D "cn=Manager,<your DN>" -f base.ldif dn: <your DN> dc: <your org name> objectClass: top objectClass: domain dn: ou=People,<your DN> ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,<your DN> ou: Group objectClass: top objectClass: organizationalUnit
Create posix user
# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_user.ldif # # set password # ldappasswd -s newpassword -D "cn=Manager,<your DN>" -W -x uid=ben,ou=People,<your DN> dn: uid=username,ou=People,<your DN> objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: User Name uid: username uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/username loginShell: /bin/bash gecos: User Name userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
Create posix group
# ldapadd -x -W -D "cn=Manager,<your DN>" -f posix_group.ldif dn: cn=ben,ou=Group,<your DN> objectClass: top objectClass: posixGroup cn: username gidNumber: 3000
openldap_server_with_tls_centos_6.5.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1